|
Spotlight on Open Source
|
 |
Click here for a roundup of articles, hacks, resources and book lists all focused on Open Source.
|
|
|
|
After a year of lists from your favorite authors, check out the ultimate list --
the Top Ten of the Top Ten Computer Books of the Last Ten Years List.
|
|
|
|
SOHO and Corporate Networking with Linux
|
Date: March 28, 2005
By James Turnbull
Article is provided courtesy of Apress.
Do you need more capabilities than your average SOHO router/firewall offers, but you don't have the budget to buy a more expensive device? Do you need a cheap way to securely and efficiently network small offices, and yet still perform complicated routing using protocols like OSPF or provide services like VPNs? Well, a new breed of hardware-based networking devices running Linux-based open source firmware may be the solution for you.
At the moment, one of the areas that I have been taking a particular interest in is Linux-based firewalls and networking devices. Many people are aware of some of the excellent software-based firewalls such as SmoothWall, IPCop and Sentry. These open source packages allow you to run highly sophisticated Linux-based firewalls and VPN gateways (which often rival or surpass commercial products in terms of functionality) that can run on cheap — even superseded — hardware. These are ideal for deploying into SOHO environments, and in these environments you will often find an older-model PC fulfilling the role of a firewall using this sort of software. Some of these products (such as SmoothWall) have actually developed commercial offerings or provide a commercial version that supplements the open source version.
Fewer people know about the emergence of Linux-based open source software for hardware-based networking equipment such as routers and firewalls. This is particularly evident from the open source development community producing Linux-based firmware for Linksys broadband firewall/routers, gateway devices and wireless access points. Linksys (a subsidiary of Cisco Systems) is one of the many competitors in the cutthroat home and SOHO networking market, competing with other players such as Belkin, Netgear, D-Link and 3Com. The first interesting thing about Linksys's SOHO hardware is that most of the devices run a Linux kernel and operating system as their firmware. But second, and more important, Linksys has released GPL-licensed versions of the firmware source code for many of the networking devices it manufactures.
Probably the most commonly known of the Linksys devices are the WRT54G and WRT54GS broadband routers. These devices are aimed at providing firewall/router capabilities (together with a wireless access point) to home DSL and cable customers. After Linksys's release of the GPL firmware source code for these devices, a community of developers began to modify and enhance the capabilities of the firmware. The end result is that a number of different open source firmware versions are now available for these devices. These firmware versions generally provide more enhanced functionality than the commercially available firmware.
An excellent example of this new development is the Sveasoft-produced firmware for the WRT54G/GS router. The firmware is open source, with public releases being free, and the latest prerelease beta versions available to subscribers for a yearly fee of US$20. The key features of the firmwire are expanded functionality and ease of administration. The firmwire provides enhanced functionality in a number of areas such as firewalling, wireless settings, security and logging. It allows considerably more administrative control over the routers by exposing settings and options that the Linksys-provided firmwire conceals or does not allow you to manipulate. It provides this functionality and control in a web interface front-end that is similar enough in style to the Linksys-provided interface to help you make the transition to the new firmwire easily. Additionally, if you prefer, you can use SSH to connect to the router and configure, using a cut-down version of a Linux command line instead of the web interface.
Currently, though, the most interesting development work is in the prerelease betas of the firmwire. The latest prerelease beta version is named Alchemy and provides the existing functionality included with the base Linksys firmware as well as considerable additional functionality. It includes the capability to use the router as a wireless hotspot portal, expands its VPN capabilities and provides customized firewalling, including the full functionality of the iptables package. It also includes syslogging to remote devices, Cisco NetFlow probes, QoS capabilities, wireless power boosting, expanded routing (including OSPF, BPG and RIP2), and VLAN functionality, as well as a host of other features. Additionally, many of the available features significantly expand the potential security the device provides to a network or networks.
The development has not stopped there, though. A future release of the firmware, code-named Talisman, will contain a package management system in the style of Yum or Apt and a writeable memory partition. This will allow the download of individual and configurable packages to your router. Not only could these provide additional enhanced capabilities, but they could also allow you to build cheap and customised dedicated devices. With a simple script, you could remotely deploy (and update) a device to be used as a cheap VPN gateway, a Radius server or even a simple LAN router (though with the capability to do advanced routing using protocols like OSPF if required).
These existing and the future capabilities turn the simple commodity item router into a powerful networking device, capable of being used not only in a SOHO environment, but also as a small and simple branch office router or a sophisticated access point in a corporate environment. The WRT54G/GS device when used in this manner, while limited in scale, is extremely feature-rich, cost-effective and easy to deploy. In the case of the WRT54G, approximately US$50 buys you a networking device with adaptability and a feature set that rivals products that are much more expensive. Add the future capability to add software packages, and it becomes a powerful way to cheaply deploy a variety of devices. One example that occurs to me is creating ready-made IDS sensors by installing a package such as Snort. These sensors could be created and deployed for a fraction of the cost of dedicated IDS sensor devices.
The developments in this area again prove that Linux-based technology offers an excellent alternative to commercially available solutions. This alternative is not only rich in features and functionality, but is also cheap, simple and easy to administer.
Note that other firmware for WRT54G/GS devices is also available, including the OpenWRT and Wifibox firmware versions.
Resources
Cisco
http://www.cisco.com/
IPCop
http://www.ipcop.org/
Linksys
http://www.linksys.com/
Linksys GPL licensed versions
http://www.linksys.com/support/gpl.asp
OpenWRT
http://openwrt.org/
Sentry
http://www.sentryfirewall.com/
SmoothWall
http://www.smoothwall.org/
Sveasoft
http://www.sveasoft.com/
Wifibox
https://sourceforge.net/projects/wifi-box/
|
Return to top of page.
James Turnbull is an IT&T security consultant at the Commonwealth Bank of Australia.
He is an experienced infrastructure architect with a background in Linux/Unix, AS/400, Windows and storage systems. He has been involved in security consulting, infrastructure security design, SLA and support services design and business application support. He is the author of Hardening Linux, a technical guide to hardening and securing Linux hosts and applications from Apress.
See the complete list of available articles.
|
Cisco Routers
